Bug in the Bug Tracker

On September 29th, Check Point’s Malware and Vulnerability Research Group uncovered a critical privilege escalation vulnerability in the popular bug-tracking platform called Bugzilla. According to the CVE security vulnerability database (cvedetails.com), this is the first privilege escalation bug uncovered in the Bugzilla project since 2002. (See also:Bugzilla Zero-Day Exposes Zero-Day Bugs by Brian Krebs)

Check Point’s security researchers have informed the Mozilla Foundation and the team leading the Bugzilla project about this particular vulnerability. Mozilla and Bugzilla have recognized the critical nature of this vulnerability and have assigned the following CVE identifier for it: CVE-2014-1572.

Detailed Analysis

Bugzilla is a widely used bug-tracking software with a substantial number of public and private installations. Popular open source projects managing their bugs using Bugzilla include Apache, Firefox, the Linux kernel, OpenSSH, Eclipse, KDE, and GNOME as well as, many Linux distributions. Organizations using this software should be aware of the risks this vulnerability brings to their data.

Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:

This bug enables users to masquerade their identity and register under an email address not in their control.

In some installations, this can automatically provide the user with certain elevated permissions, if these are given to groups defined by regex matching.

These permissions can include the visibility of otherwise private bug data, the ability to edit and revise bug submissions, as well as other critical actions on the installation.

The Bugzilla team has confirmed that this particular vulnerability affects all versions of Bugzilla since 2.23.3 released in 2006. Bugzilla administrators are urged to deploy the patch and upgrade their software immediately. It is unknown whether any attacks have occurred as a result of this vulnerability but we recommend that Bugzilla installation administrators screen their current user lists for suspicious activity.

Check Point Customers

Check Point has released an IPS protection to protect against this vulnerability. For details about this particular IPS protection, please see: CPAI-2014-1871

Additional information

Disclosure timeline

September 29th – Vulnerability discovered and verified by Check Point security researchers

September 30th – Report submitted to the Bugzilla team

September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla